Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
An interesting CAPTCHA
Date: November 15, 2007 06:40PM

From http://stonerocket.net, one of those generic free hosts that make you post.
Basically, it involves distinguishing animals(mostly cats) from objects through the use of radio boxes. It is quite an interesting idea, it uses many images and seems like a computer would not be able to tell unless every image was found and marked as what each type was. The image file names change randomly with the session ID too, but that would not stop a smart bot...

It was an interesting idea anyway.

Options: ReplyQuote
Re: An interesting CAPTCHA
Posted by: shooter
Date: November 21, 2007 05:50AM

I recentrly implemented this and BOOM. No more registered users on phpbb :) (well no spam bots, normal people can).

Its actually a really good idea. It also re-frames the image every time it grabs it and changes the hue of the image aswell.

I recommend this to everyone who runs a phpbb forum. Along with a proxy checker add on (it checks people who are registering to see if they are posting form a open proxy server, if they are. banned.)

##############################################################
## MOD Title: Photo Visual Confirmation
## MOD Author: Josh Yelon < jyelon@gmail.com > (Josh Yelon) N/A
## MOD Description:
## This patch to phpbb2 adds a new kind of Visual Confirmation,
## also known as a CAPTCHA. The person registering for an account must
## look at photographs and determine if they are photographs of animals
## or not.
## MOD Version: 1.0.1
##
## Installation Level: Easy
## Installation Time: 5 Minutes
## Files To Edit: admin/admin_board.php,
## includes/constants.php,
## includes/usercp_confirm.php,
## includes/usercp_register.php,
## language/lang_english/lang_admin.php,
## language/lang_english/lang_main.php,
## templates/subSilver/admin/board_config_body.tpl,
## templates/subSilver/profile_add_body.tpl
## Included Files: captcha-images/*.*
## License: http://opensource.org/licenses/gpl-license.php GNU General Public License v2
##############################################################
## For security purposes, please check: http://www.phpbb.com/mods/
## for the latest version of this MOD. Although MODs are checked
## before being allowed in the MODs Database there is no guarantee
## that there are no security problems within the MOD. No support
## will be given for MODs not found within the MODs Database which
## can be found at http://www.phpbb.com/mods/
##############################################################
## Author Notes:
##
## This patch to phpbb2 adds a new kind of Visual Confirmation,
## also known as a CAPTCHA. The person registering for an account must
## look at photographs and determine if they are photographs of animals
## or not.
##
## The captcha can be broken by a bot that has a copy of the photos. To
## do this, the bot must compare the presented images to the photos in
## the distribution. To make this a little harder, the mod randomly
## tweaks the gamma and randomly crops the images before presenting them
## to the user. Therefore, comparison requires more than a simple
## bit-for-bit equality test. This isn't a very strong protection,
## but it's better than nothing.
##
## The real strength of the captcha, however, is the fact that it's so
## easy for the board admin to replace the photos. A bot that doesn't
## have a copy of the photo library is at an almost crippling
## disadvantage. Once the photos have been replaced, this captcha is
## almost unbreakable.
##
## I have made it as easy as possible to drop in new photos. As you
## can see, there are two directories containing photos:
##
## images/captcha/animal
## images/captcha/non
##
## Which contain, respectively, animals and non-animals. All of the
## supplied images are 256x192 --- this is the optimal size. However,
## you can use images that are somewhat smaller or larger. All images
## must be jpegs. The filenames do not matter, although the extension
## must be jpg. It is recommended that the board admin delete all
## the supplied photos, and replace them with photos of his own.
##
## The supplied photos are kittens and cars. I intentionally didn't
## use a mix of different types of animals, or different types of
## non-animals. I feel that using two clear categories makes it
## easier for the human --- it is very easy to visually scan for
## kittens, but much harder to visually scan for animals-in-general.
##
## To enable the mod, you must browse to the board configuration
## page (admin_board.php), find the entry for "Visual Confirmation,"
## and select "Photos."
##
## This captcha requires the php GD extension. If you install this
## MOD without installing GD, the board configuration page will
## display the message "If you were to install the php GD extension,
## a photo-recognition mode would become available here."
##
## The code is quite small, and this mod integrates the new CAPTCHA
## cleanly into the phpbb2 2.0.21 codebase. It is my hope that the phpbb2
## developers will eventually include this mod with the distribution.
##
## This software is actually in the public domain, but the format of
## the license field above doesn't provide any means to specify that.
## Long story short, you can do anything at all with it.
##

Options: ReplyQuote
Re: An interesting CAPTCHA
Posted by: istari
Date: December 17, 2007 08:50PM

I wonder how many kittens we will have to kill before this one turns useless :P

More seriously, I haven't played quite enough with this mechanism, but I've already noticed something that looks like a fatal flaw: when you fetch an image (using the url with the hash provided in the form), it always displays the same type of image as the one in the form. So, if the image was an animal, it'll still be an animal, and if it was a car or something else, it'll still be something non-animal...

So to break the CAPTCHA, you don't need to have ALL the images in the server, but just a subset of them: you request each image as many times as necessary, until you get one that you can identify either as animal or non animal. You could do with exactly two images, but the more you have the less reloads you need. Once you're done with all the images, you submit the form and voila!

As for the simple distortion mechanisms, they're easily avoided using basic shape analisis to replace the bit per bit comparison...

In any case, this method needs a bit more work put into it, IMHO...

Cheers,

istari

PS: When programming a CAPTCHA solver (or adapting an existing one for a specific implementation), one usually downloads and solves dozens or even a hundred CAPTCHA's, and each one usually implies 4 or more steps (that is, identifying each of the letters in the CAPTCHA). That means that any decent attacker wouldn't mind downloading a few dozen kitten images, and classifying them as needed. For what I've seen, the image database in the server isn't that big (I even got the same image twice in the same form!), so even a rather small subset of all the images will do the trick...



Edited 2 time(s). Last edit at 12/17/2007 09:02PM by istari.

Options: ReplyQuote
Re: An interesting CAPTCHA
Posted by: rsnake
Date: December 30, 2007 02:44PM

Nice find, Istari! That's clever!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.